HIGH8.2CVE-2026-31824Sylius has a Promotion Usage Limit Bypass via Race Condition from 0, < 1.9.12
HIGH7.5CVE-2024-40633Sylius has a security vulnerability via adjustments API endpoint >= 1.12.0-alpha.1, < 1.12.19
>= 1.10.0, < 1.10.11
MEDIUM6.1Improper sanitize of SVG files during content upload ('Cross-site Scripting') in sylius/sylius
from 0, < 1.9.10
MEDIUM6.1Improper Restriction of Rendered UI Layers or Frames in Sylius
from 0, < 1.9.10
MEDIUM5.3Sylius has a DQL Injection via API Order Filters
from 0, < 1.9.12
MEDIUM5.3List of order ids, number, items total and token value exposed for unauthorized uses via new API
>= 1.9.0, < 1.9.5
MEDIUM5.0Sensitive Information Exposure in Sylius
from 0, < 1.9.10
MEDIUM4.8Sylius Vulnerable to Authenticated Stored XSS
>= 2.0.0, < 2.0.16
MEDIUM4.8Sylius potentially vulnerable to Cross Site Scripting via "Name" field (Taxons, Products, Options, Variants) in Admin Panel
from 0, < 1.9.12
MEDIUM4.8XSS injection in the Grid component of Sylius
>= 1.0.0, < 1.1.18
MEDIUM4.4Ability to switch channels via GET parameter enabled in production environments
from 0, < 1.3.16
MEDIUM4.4Ability to expose data in Sylius by using an unintended serialisation group
from 0, < 1.3.12
MEDIUM4.3Ability to switch customer email address on account detail page and stay verified
>= 1.7.0, < 1.7.9
MEDIUM4.1Cross site scripting in sylius/sylius
from 0, < 1.9.10
LOW3.5Internal exception message exposure for login action in Sylius
from 0, < 1.3.14
—Sylius has a XSS vulnerability in checkout login form
>= 2.0.0, < 2.0.16
—Sylius is Missing Authorization in API v2 Add Item Endpoint
>= 2.0.0, < 2.0.16
—Sylius affected by IDOR in Cart and Checkout LiveComponents
>= 2.0.0, < 2.0.16
—Sylius has an Open Redirect via Referer Header
from 0, < 1.9.12
—Sylius has potential Cross Site Scripting vulnerability via the "Province" field in the Checkout and Address Book
from 0, < 1.9.12